2. What’s new in Spring Security 4.0

There are 175+ tickets resolved with the Spring Security 4.0 release.

2.1 Features

Below are the highlights of the new features found in Spring Security 4.0.

  • Web Socket Support
  • Test Support
  • Spring Data Integration
  • CSRF Token Argument Resolver
  • More Secure Defaults
  • Methods with role in them do not require ROLE_ For example, previously the following would be required within XML configuration:

    <intercept-url pattern="/**" access="hasRole('ROLE_USER')"/>

    Now you can optionally omit the ROLE_ prefix. We do this to remove duplication. Specifically, since the expression hasRole already defines the value as a role it automatically adds the prefix if it is not there. For example, the following is the same as the previous configuration:

    <intercept-url pattern="/**" access="hasRole('USER')"/>

    Similarly, the following configuration:


    is the same as this more concise configuration:

  • Many Integration Tests Added to Samples
  • Deprecate @EnableWebMvcSecurity - by updating the minimum Spring Version, we can now allow defaulting MVC integration with @EnableWebSecurity but still allow it to be overridden

2.2 Migrating from 3.x to 4.x

As exploits against applications evolve, so must Spring Security. As a major release version, the Spring Security team took the opportunity to make some non-passive changes which focus on:

For complete details on migrating from Spring Security 3 to Spring Security 4 refer to one of the guides below: